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Abstract — With the blooming development of network 
technologies, remote user identity authentication is becoming 
more and more important to ensure that only the legal user can 
consume the services of the system. Recently, Shi et al. presented 
an improved remote user authentication scheme with key 
agreement that attempts to resist various attacks and to achieve 
perfect user anonymity. However, in this paper we shall show 
that their scheme is prone to smart card loss attack, offline 
password guessing attack, impersonation attack and server 
spoofing attack. What is more, Shi et al. scheme fails to provide 
user anonymity as they claimed. Then, we put forward an 
enhanced protocol, which is more secure and suitable for the 
application environment. 

Index Terms — dynamic identity; mutual authentication; 
protocol; smart card. 


I. INTRODUCTION 

Owing to the rapid progress in wireless network technology, 
it is becoming more and more convenient for users to enjoy 
desired services from service provider servers. At the same 
time it raises security concern about a system’s protected 
services might be utilized by illegal users in a fraudulent 
manner. As a result, how to identify a remote user in the open 
network becomes a crucial issue. To solve this problem, in 
1981, Lamport [1] proposed the first password-based scheme 
by employing a one-way hash function. Due to its simplicity 
and that the password is easy to memorize, password-based 
authentication schemes have been widely used to validate the 
remote user. Since then, numerous [2-5] password-based 
protocols were proposed. However, in these schemes, the 
server has to store a sensitive verifier table that contains the 
passwords of all the registered users. One security threat of 
this kind of schemes is that once this password-verifier table is 
leaked, all the registered users’ password will be at risk. Thus, 
some [6-13] user authentication schemes are designed with no 
verifier table. Owing its portability, low cost, cryptographic 
and computational capacity nature, the smart card is widely 
used in these protocols. However, based on fixed identity, 
schemes [1-13] may leak the registered users’ information to 
malicious attackers and further damage users’ privacy. To 
preserve users’ privacy, Das et al. [14] proposed the first 
dynamic ID-based two-factor authentication scheme in 2004, 
which they claimed is secure against ID-theft and can resist 
the reply attacks, forgery attacks, guessing attacks, insider 
attacks and stolen verifier attacks. Unfortunately, in 2009 
Wang et al. [15] pointed out that Das et al.’s scheme is 
completely insecure for its independence of using passwords. 
Moreover, their protocol suffers from impersonation attack 
and fails to provide mutual authentication and user 


anonymity. To increase security, they presented an improved 
version, which was revealed by Chang et al. [16] not a true 
dynamic-identity based scheme in fact and possesses security 
holes in the password change phase because an attacker can 
update the password in a user’s smart card at his will. Then 
they proposed an untraceable remote user authentication 
scheme with verifiable password update. Unfortunately, 
Kumari et al. [17] found that the scheme of Chang et al. is 
completely insecure. So, Kumari et al. also put up with their 
improved scheme. In 2015, Shi et al. [18] presented an 
improvement scheme of Kumari et al.’s protocol and they 
claim that their scheme can resist various attacks and achieve 
user anonymity. However, based on the security analysis, we 
find that their scheme is vulnerable to smart card loss attack, 
offline guessing attack, user impersonation attack and server 
spoofing attack. Besides, their protocol cannot provide user 
anonymity. In this paper, an enhanced dynamic-ID-based 
remote user authentication scheme with smart card is 
proposed. We will illustrate that with little computational cost 
our protocol can not only withstand various attacks but also 
achieve truly user anonymity. 

The rest of this paper is organized as follows: in section 2, we 
review Shi et al.’s scheme briefly. Then their scheme is 
analyzed in detail in section 3. Next, we proposed an 
enhanced dynamic-ID-based remote user authentication 
scheme with smart card in section 4. In section 5, we discuss 
the security of our new protocol and provide details of the 
proof. Section 6 describes performance evaluation. Finally, 
we draw a conclusion in section 7. 

II. Review of Shi et al.‘s Scheme 

We will briefly review Shi et al.’s protocol in this section. It 
consists of the following four phase: registration phase, login 
phase, authentication phase and password change phase. The 
notations used throughout this paper are described as follows: 
U j/U a / S : : User/Attacker/Server; 

ID : Identity of t/ ; ; 

PWj : Password of U { ; 

CID j : Dynamic identity of U t ; 

SC : Smart card of U i ; 

: Unique random number assigned to U j by S - ; 
r : A random number selected by the smart card; 

1 \ , T 2 , 7 j : Current timestamps; 

/;(•) : One way hash function; 

E k (•) : A symmetric key encryption algorithm and k is the 
secret key; 

© : Bit-wise exclusive-or (XOR) operation; 
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1 1 : Connection operation; 

2.1. Registration Phase 

If a user would like to register as a legal user of the system, he 
would perform the following procedures: 

1) The user £/ ( first chooses his identity 77), and password 

PW i freely and chooses a random number a to computes the 

value 7?,. = h(a II PW j ) and transmits j / 7), , 7?, j to the 
server via a secure channel. 

2) On receiving the message j //) , R i j , the server chooses a 
random number r for every registered user U i , then 
computes the value of 77V, = h(h( ID ) II x) © 77 and 
TY i = r ®/t (/;(//>) II x) 0 7?, , TD i = h(ID i II r II P i ) , 
TE i = r © h(y II x) , he stores [TK , 77), , 77i, | into SC, 

and send it together with the value [7/V, j to U j over a 
secure channel. 

3) When the user 77, receives the message form the server S,. , 
he computes the value of A,. = h(ID j II pw j )®a , 
TMj = TNj 0 a and keeps the values j A,. , TM ,. } in SC , . 

2.2. Login Phase 

After executing the registration phase, 77, becomes the legal 
user of the system. In order to communicate with the server, 
Uj inputs his identity / 7), and password PW : into the smart 

card then SC, performs the following steps: 

1) First, smart card computes 

a = Aj 0 h(IDj II PWj), Rj = h(a II PWj) then he further 
calculates the value of 

li(h(IDj) II x) = TMj@a® 77 
,r =TY i ®h(h(/D i )\\x)®R i . 

2) Next, smart card SC computes 

TDj = h(IDj II r II 77) and checks whether the equation 
TDj = TDj ' holds or not, if it holds then the smart 
card SCj continues to calculate 

h(y II x) = ^ ®TEj , TNj = TM ; © a . Otherwise, SC, 
terminates the session. 

3) At last, smart card SC, gets the current timestamp 7] and 

computes user’s dynamic identity 

CIDj = h(IDj) 0 h(TNj Hr 117’) and then SC, further 

calculates the value of 7G, = 7/V, © h(r H 7j ) , 

TBj = TNj 0 Rj . After that, SC, randomly choose a 
number b to calculate the value of Q t = h(h(ID i ) II b) then 
SC, cam obtain the value 

of DSj = TBj 0 Qj , TCj = h(TN i II /; 11(7, 117;) and 


TFj = r 0 (h(y II X) 117’) . After that, SC,, transmits the 
login request (C/D, , TG t , TCj , TFj , 7)S, , 7’ | to S ; . 

2.3. Authenticatione Phase 

In this phase both the user and the server start to take the 
following steps to authenticate the legitimacy of each other 
and further consult the common session key. 

1) Upon receiving the login request 

| CIDj,TGj,TCj,TFj,DSj,T ]} from Uj , s,. obtain the 
current timestamp 7) and examines the validity of . That is, 
if T 2 — 7J < AT holds, 7’ is valid and S, continues to 
execute the next step. If not so, the procedure will be aborted. 

2) Next, S, retrieves the values 

Tj = TFj 0 h(y II x) II T v TNj = TG t 0 h(r II 7]) by using 

his private key X , then the server continues to compute 

h(IDj) = CIDj © h(TNj II r \\T t ) 

TB* = h(h(IDj) II x) and (X = 7/7, © D.S', . Next, the 
server checks whether the equation 

TC { ? = h(TN ; Hr II (X 117)) holds or not. If not, 5, 
terminates the session. Otherwise, Uj is authenticated as a 
legal user by 5, . At last, 5, gets the current time 7 3 to 
compute Vj = h(TBj Hr 117’,) and sends the response 
message { V), 7)} to Uj immediately. 

3) Upon receiving { V) , 7) j from 5,- , C, examines the 
freshness of 7 3 . If 7 3 is fresh, t/, continues to compute 
Vj = h(TB i II r 117)) and compares U with the stored 
value Vj , if they are equal then 5, is authenticated as a valid 
server by [/, . Otherwise, C, drops the message and 
terminates the session. 

4) Finally, t/, computes his session key 

SK„ = h(TBj II ^ II T x II T 3 II h(y II x) II £>, ) and 

Sj calculates SK s = h(TB ,* II r II T x II T II h(y II x) II (X) . 
From the discussion above, we know that I B ; = TB* and 
Qj = Qj . Thus the server 5, and user t/, generate the same 
session key SK = SK u = SK s to encrypt or decrypt the 
messages transmitted between them. 

2.4. Password Change Phase 

This phase is carried out when the user wants to update his 
password without connecting the server. Then he should 
execute the following steps: 

1) Uj inserts his smart card SC, into the card reader and 
inputs his identity 77), and password PW t , so as to request 
for password changing . 

2) Next, SCj verifies the correctness of 77), in the way the 
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login phase performs. If 77). ^ 77), , smart card SC, rejects 
the password change request. Only if 77). = 77), will SC, 
proceeds on. 

3) Finally, SC, reminds the user U i to input the new 
password PW j " e " and computes the value 

of a; ! ' m = mid, ii pw; ew ) ® a , i ?; ew = h( a 11 pw; mv ) a 

nd SC, continues to 

compute 

TM “ = TM , 0 7?,. 0 R!; e "\TD’; e "’ = h(ID, II r II R’ ,ew ). 
Then SC, replaces the stored values 
{A i JD j JM i ,TY]wih[A; ew JD] ,m \TM; m \TY;' ew } . 

III. Security Analysis of Shi et al. ’s Protocol 

Before analyzing of Shi et al.’s protocol, we first point out 
that smart card can no longer be deemed as fully tamper-proof 
device. When a user lost his smart card, the adversary can 
extract the information stored in the smart card by means of 
analyzing the power consumption, which has proposed by 
Kocher et al. [19] and Messerges et al. [20]. In this phase, we 
illustrate that there exists many security holes in Shi et al.’s 
scheme and describe them in details. 

3.1 Smart Card Loss Attack and Off-line Password 
Guessing Attack 

If the smart card of the user U t was stolen by an adversary 

U a , who is also a legal user of the system and has his own 

smart card SC a and suppose U a can intercept the login 

request { Cl I), , T G, , T C, , 777 , 7)S, , 7j j of C, . We point 

out that Shi et al.’s scheme is vulnerable to offline password 
guessing attack owing to smart card loss and the procedure is 
as follows: 

Step 1: U a extracts { A a , TM a , TY (/ , TD a , TE a } from his 
smart card SC a and computes 

o' = A a ® h(ID a II PW a ),R a = h(a'\\ PW a ) and 
r a = TY a ® h(h(ID a )\\ x)® R a thus U a can obtain the 
system constant value h(y II x) by 

computing h(y II x) = TE a © r a . 

Step 2: As the attacker U a obtains the login request 

{C77> , TG i , TC i , TF i , 7)S, , T x } of £7. , he can use these 

values together with the value h(y II x) obtained in Step 1 to 
compute 

r=TF® h(y II x) II T V TN, = TG, © h(r, II T X ),TN, = TG i © h(r t II 7,) 

Step 3: When the user’s smart card SC was stolen by an 
adversary U a , he can extract the 


messages { A,. , 7717, , TY , , 77) ,77:, , h(L ) } stored in SC, . 
Then he can obtain the value of a by using the extracted value 
TM j and the value 77V, , which was computed in Step 2, 
this is because a = 7717, 0 77V, ■ . Consequently, the attacker 
U a can obtain the hashed value hill), II PW,) by 
calculating h(lD, II PW,) = A i ® a . 

Step 4: Now U a launches offline password guessing attack 
using the important value h(ID j II P W, ) . First, U a chooses 

the candidate identity ID* and password PW* from two 
independent dictionaries respectively. 

Step 5: The attacker U a further computes the value of 
ll( ID* II PW * ) and compare it with MID, II PW,) , if 
they are equal, it indicates that the attacker U a has 
successfully guessed the right identity and password of U , . 
Otherwise, U a returns to Step 4 until he finally seek out the 
true identity and password of U . . 

In this way, the attacker can eventually obtain the identity and 
password of the system’s arbitrary user. Hence, Shi et al.’s 
protocol suffers from smart card loss attack and offline 
password guessing attack. 

3.2 User Impersonation Attack 

When the smart card of the legal user was stolen or obtained 
by the attacker and he had intercepted the login request from 
the open network then he can launch offline password 
guessing attack to obtain the identity and password of the user 
t/, as we explained in section 3.1. In this case, the attacker 

U possess the following private values: 
77), , PW, , a , R , r , 77V7,. , 77V, . We show that he can 
impersonate U i in the following manner without a new smart 
card: 

1) The attacker U a acquires the current timestamp T and 

computes the following 

values: CID, = h(ID, ) © h(TN, Hr 117;/) 

TG, = 77V, 0 h(r \\T U ) , TB, = 77V, 0 R, in order to 
compute DS, , PC, and 777 , he first compute 
Q, = h(ll(ID, ) II x) and next the attacker U a can obtain 
these values by computing DS, = TB j © Q, 
TC, = h(TN, II r II Q, II T a \TF t = r, © h(y II x) II T a 

and transmits the login request 

{CID , , TG i , TC i , TF , , DS, , T a } to the server . 

2) Obviously, the attacker’s login request 
| CID, ,TG, ,TC, ,TF , , DS, , T CJ } will be accepted by the 

server because it is computed by using the valid identity ID, 
and password P W i . So, in Shi et al. ’s protocol, the attacker 
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U a can impersonate the legal user U t of the system. 

Therefore, their scheme is vulnerable to user impersonation 
attack. 

3.3 Server Spoofing Attack 

As described in section 3.1 and section 3.2, the attacker 
U a can obtain the system value h(y II x) , which is common 

for all users. Subsequently, he can get the identity 77), and 
password PW l of the user by launching offline password 
guessing attack then he computes the value 
of a = A © h( ID i II PWj) and 77 = h(ci II PW ’.) in order 

to get the value of h(h(ID i ) II x) = 7A7, © a © K r With 
these values in hand, U a can masquerade the legal server 
simply in the following procedures. 

1) At first, U a intercepts the login 

request j CID j ,TG j ,TC i ,TF i , DS t , 7) | of U , and then 
computes 

r =TF i ®h(y\\x)\\T v TN i =TG i ®h(r i \\T l \TB* =1 

2) After that, U a acquires the current time 7, and 
calculates A j —h{TB j II K II 7)) and send the response 
message j A,. , 7) | to U r 

3) Since the timestamp 7, is fresh and that U had 
successfully guessed the identity 77) and password PW t of 

U i , the response message {A,. ,7)} will certainly pass the 
authentication test at the user’s side . 

In this way, the attacker U can trick the user U , by 
imitating the legal server . 

3.4 User’s Identity is Traceable 

Based on the discussion in section 3.1, the attacker has the 
ability to obtain the identity and password of the system’s 
legal user if he has the smart card of the user and intercepted 
all messages transmitted in a login-authentication session. 
That is, the adversary can obtain the identity of the arbitrary 
user, so we can see that the user’s identity is traceable. So, Shi 
et al.’s scheme could not protect user’s privacy as they 
claimed. 

IV . Our Enhanced Protocol 

A fresh protocol is proposed in this section, which can resist 
the attacks described in the previous sections. The proposed 
scheme has the same four phases like Shi et al.’s scheme. The 
details of the proposed scheme are shown below. 

4.1 Registration Phase 

Before a user login in the remote server and become the legal 
user of the system he should execute the following steps as 
shown in Figure 2: 


1) Firstly, U, chooses his / /) , PW i and a random number 
a and computes the value of /?, = h(PW ! II a ) , next 
transmits the message j ID , R j j to S, via a secure channel . 

2) Upon receiving the message J / /) , R j j from U i , S, 

generates a random number r for the corresponding user U ,. 
and continues to compute the value 

of 77V,. = h(Ja II x)©77 , 7© = /; © h(ID t II x) , 
TD i = h(ID i II r II R.) and TE, = E x (y © 77),.) © r . 
Then the server 5, keeps \ TY i , 77), ,TE ; ,h (_) j into the 
smart card SC, and delivers | SC,. ,77V,. | to U l . 


User b\ 


servers, 

Choose ID, .PM] and a 



Compute^ =b{a\\PW,) 
Compute TN, = h(ID, || x)@R, 

R„ID, 

Generate a random numbers 

TY,=r,@h(ID, || x) 
TD, =h(ID,\\r,\\R) 
TE, = E, (>' @lD)@r, 

Compute A, = HJD, || PW) © a 
TU, =TN,@a 

Store f4,r.W.}intoSC, 

TN, , SC, 

Keep { JT. , TD, , TE , , A( )} into SC, 


Figure 2. The Registration Phase of The Proposed Scheme 


4.2. Login Phase 

When a registered user U t would like to login into the 
server S, and access the services, U ■ inserts smart card 
S C, into a terminal device and inputs his identity 77), and 
password PW t then SC, performs the following steps which 
are shown in Figure 3: 

1) Firstly, the smart card SC, successively computes the 

following values: a = A, © h(ID l II PWj) 

Rj = h(a \\ PWj), h(IDj \\x) = PM j ©a © S and 
computes the value of 

r t = TYj © h(IDj II x) , TDj = h(JDj II r II 77). 

2) If TDj =77), , SC, continues to calculate the value 

E x (y © IDj) = TEj © Tj , we write 
7F = E y (y © ID) for simplicity. Otherwise, SC, 
drops the session. 

3) Then, SC, acquires the current timestamp 7) and 

computes the user’s dynamic 

identity CIDj = h(ID i 117))© r 

TGj = TNj © h(jj 117)) , TBj = TN, © R, .After 
that, the smart card SC, generates a random number 
r and further computes the value of 

Qj=h(IDj\\r) , DSj = TBj © <2, 

TCj = h(TN j II r II Qj II 7)) , then SC,, sends the 
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login request j T C , Cl 79. ,TG t , DS j , T Cl , 7j } to S { . 

4.3. Authentication Phase 

In this phase, the user and server take the following steps to 
achieve mutual authentication and further consult the 
common session key . 

1) On receiving the login request 

{TF i , CID i , TG t , 79S, , 7C ; , T x } , S ; obtains the 
current time 7 2 and verifies the validity of 7j . Only 
when 7, is fresh will the server S- continue further. 
Otherwise, S ( rejects all the login requests. 
Subsequently S ( decrypts 7F with the secret 
key X then he can obtain the user’s identity and 

r = C77) © hail WTU TN i = TCI ®h(r \\T t ), Til 

so Sj can compute the value of 

TCI =h(TN i \\r i \\Q*\\T 1 ). 

2) Next, Sj checks whether the computed TC t and the 

stored 7C are equal or not. If not, S- drops the 


session. Only if TCj = T C will the user U { be 
authenticated and the session proceeds further. 

3) Sj acquires the current time 7j to calculates 

V = h(TB II r II T) and delivers the message 

{It,} .o f/,. 

4) Upon receiving the response message {V^,7^|, SC f 

checks I\ for freshness. If /j is fresh, 5C computes 
Vj = h(TBj II r { II 7^) and verifies whether the 

equation U = V t holds or not. If so, U t authenticates 
Sj as a legal server or else SC t stops the procedure 
and neglect the response message. 

Finally, 5, computes his session key 
Slf^^JlTIl^fjll O TUy^tl) and smart card SC ; 
computes $K s — h(TB' ll/j II7J’ 1 1 T 3 1 1 Q j ) . Hence, they 
have negotiated the common session 

key SK = SK U = SK s = h(TBj II r t II T x II T 3 II Q.) . 



4.4. Password Change Phase 

When the user wants to update his password without 
connecting the server. Then he should perform the following 
steps: 

1) Firstly, U .inserts his smart card into the card reader and 

inputs his identity and password to request for changing 
his password. 

2) Next, SCj verifies the correctness of I D i n the way the 

login phase performs. If 779 =4 779 , SC i drops the 
password change request. But after thrice failures 
SCj will get blocked and the user must enter the private 


unblocking key to re-activate his smart card. Only if 
TDj = 779 j will SC proceed on. 

3) Then SC { reminds t/ ( to input the new password 
PWj' ,e " and computes the value of 

A" ew = h(IDj II PWj" ew )@a 
R" m ’ = h(a II PWr w ) 

TM"‘" = TMj © Rj © R.' ew and computes 
779""'" = h(IDj II r II /C" 1 "). Finally, 

SCj stores A" r '" , TD"'" and TM'. L " in place of 
Aj , 779 and TMj respectively. 
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User U. 


Smart card SC i 


Inserts ID i ,PW i ID i ,PW i 


Inserts PW" ew PWj w 

► 


Compute a = A i ® MID, II PW, ), R, = h(a II PW,) 
MID, II x) = TM t ® a © R ; ,r=TY i ® h(ID i II x) 
Check TD, ? = h(ID, II r II A ) 
Form = TD, ' 
Allow [/. to input new password 

Compute A 1 new = MID, II PWJ"’) © a 
A'"’ u ' = h(a II PW”™) 
TM ™ = TM i ©A, ®R" ew 
TDJ" = MID, II r II A"™) 
Replace [A , TD j , TM , } with { A ) " eM ' , TD'"’" , TM'"’" } 


Figure 4. Password Change Phase 


V. Security Analysis 

In this section, we will demonstrate that our enhanced 
protocol is secure against various attacks discussed in the 
previous sections, the details are shown in the following 
content: 

5.1. Resists repay attack 

Replay attack is an offensive action through which an 
attacker may impersonate the legal user or the server by 
repaying the previous message. In our protocol, we assume 
that the attacker had intercepted the previous authentication 
information and we use timestamp l\ to prevent the attacker 

from repaying the request message and likewise T, is used to 

resist the attacker reusing the response message to imitate the 
valid server.This is because both the request and response 
message undergo the timestamp freshness check through the 
similar freshness verification process at each other 's side. 
Therefore, our protocol can withstand repay attack. 

5.2. Resists offline password guessing attack 

Off-line password guessing attack means that the attacker 
can use user’s smart card and the interactive information 
between the legal user and the server to successfully guess the 
user’s password off-line. In this scheme, consider that an 
attacker obtains a user’s smart card, either by stealing or lost 
by the user. Then he can extract all secret values 

{ A j , TM i ,TY i ,TD i ,TE i } stored in SC . Among these 

values: A = h(ID j II PW t ) © a 

TM i = MID, II x) © A © a , 7Y = r® MID, II a) , 


TD, = MID, II r II A,.) and TE, = EJy © ID,)® r , due 

to the property of one way hash function ,we cannot retrieve 
the values out of I D, . And in order to obtain 

the value MID, II x) from I’M , , the attacker U a should 
know the random number a and the password PW, of U , . 
But he cannot guess the two values {a,PW , .} at the same 
time. And as A, contains another unknown value / D , , U a 
could not retrieve these values from A either. As a result, 
U a is unable to compute the value : r = TY, © MID, II x) . 
In a word, U a cannot obtain these values 
| X,r i ,h(ID i II A') | and without knowing these values it is 

impossible for him to guess an arbitrary password PW* and 
verify his guess using these five 
values: A ; , TM , , TY , , TD , , TE, . Next, suppose that U a 
have eavesdropped the login request 
{TE, , CID, , TG, , DS i , TC, , T , } of U t , we show that he 

still cannot using these values to verify his guess. From the 
login phase, we can obtain the value 

TE, = EJy © ID,) , CID , = MID, II 7j)© r , 

TG i = TN, © M r 117,) , TB, = TN, © A, 

Q, = MID, II r) and successively we can get by calculating 

the value 

of: DS, = TB, © Q, , TC, = IiCTN, II r II Q, II 1\) . 
Similarly, TN, — hi ID, II x) © R, and 

R, = Ilia II PW, ) can be obtained from the registration 
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phase. So, we 

have TG j = h(ID l II X) © h(a II PW t ) 0 h(r || 7,) and 

TB j = h(ID i II x) and likewise we 

have DS i = h(ID [ II x) © h( ID Hr) 

TC i = h(TN i II r II h(ID j II r) II 7) ) . In each item of 
{TF i , CID i , TGj , DS i ,777,7)} , it contains at least two 
unknown values for the attacker 

U a and it is not possible for him to guess two unknown 
values in polynomial time. 

Thus, the proposed protocol is secure against the most 
damaging attack: offline password guessing attack. 

5.3. Resists privileged insider attack 

Privileged insider attack happens when an insider of the 
system like the administrator obtains the password of the legal 
user by monitoring the registration message transmitted from 
the user to the server through a secure channel. In the 
proposed scheme the user use a randomly selected number 
a and submits hashed value R : = h(a II PW j ) to protect his 
password instead of sending it in a plain text. As the attacker 
doesn’t know the random number a and the password PW : , 

it is impossible for him to simultaneously guess two values in 
polynomial time. Thus, it is not hard to see that the proposed 
protocol is secure against privileged insider attack. 

5.4. Resists user impersonation and server masquerading 
attack 

In the proposed scheme, if an attacker would like to 
impersonate U t , he should compute the login request 
{TF i ,CID i ,TG i ,DS i ,TC i ,T l } to pass the server’s 
verification. Without knowing the identity ZD and password 
PWj of U j , U a cannot calculate the random number a not 
to mention R j and h(lD II X) even if he has the smart card 
of U j . And he cannot synchronously guess the possible 
identity and password of the user because he has no option to 
verify his guess. Thus, it is not feasible for U a to launch user 
impersonation attack. Similarly, assume that the attacker 
U a intercepted the login 

request |77v , CFD i ,TG i , DS i ,TC i ,T ] | of U r In order to 
successfully impersonate a legal server, he should compute a 
valid response message j r , 7) } as an answer to the login 
request. From the discussion above, U a cannot compute 
h{lD i II X) and he doesn't know the secret key X of the 
server so he cannot decrypt 777 to get ZD ( , therefore he 
cannot calculate r = CZD © h(ID l II 7)) . Based on the 


discussion above, it is not feasible for an attacker to launch 
server masquerading attack on the proposed scheme. 

5.5. Resists smart card loss attack 

Suppose an attacker obtains the smart card of the user 
and eavesdrops the information transmitted between the two 
sides from the open network. Section 4.2 shows that the 
attacker cannot obtain any useful information such as 

/t(7D,. II*)} even if he has stolen the smart card of 

U t and intercepted all messages transmitted in a 
login-authentication session. Hence, a lost or stolen smart 
card is helpless for U to obtain the private information of 

the user. Consequently, the security of the proposed protocol 
remains unaffected to smart card loss attack. 

5.6. Mutual authentication 

In our protocol, the server ensures that the login request is 
from the legal user by means of checking whether TC i is 
equal to h(TN i Hr II Q* 117)) or not after accepting the 
login request depending upon the freshness of the 
timestamp 7) . Likewise, the user authenticate the server by 
means of verifying whether the equation V) = V) holds or not 
after accepting the response request depending on the 
freshness of the timestamp 7, .Therefore.the proposed 
protocol provides secure mutual authentication between the 
legal user and the valid server. 

VI. Performance Comparison and Functionality 
Analysis 

Efficiency and functionality comparisons among the 
proposed protocol and the related three protocols: Shi et at.’s 
[18], Kumari et al.’s [19], Chang et al.’s [20] are shown in this 
section. Table 1 shows the efficiency comparison among the 
four protocols and Table 2 shows the functionality 
comparison among these schemes. 

In Table 1, each scheme consists of five parts: registration 
phase, login phase, authentication phase, password change 
phase and the sum of computational complexity. 

For convenience, some notations which will be used in the 
efficiency comparison are give in the following: 

t H : the time complexity for one way hash function ; 
t E : the time complexity for symmetric encryption; 
txoR ■ time complexity for XOR operation ; 


Table 1. Computational Cost 


Computational cost 

comparison 

Ours 

Shi et al. 

Kumari et al. 

Chang et al. 

Registration phase 
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&XOR + ^t H + t E 

6* 'xOR + 

XOR 

^XOR ^ H 

Login phase 

XOR +t f 


^XOR 

^XOR + H 

Authentication phase 

XOR 6t H + t p 

^ XOR + H 

^ XOR 

XOR 

Password change phase 

h XOR H 

10 ^ XOR 

6 ^XOR + 6 

^XOR 

Sum of computational 

complexity 

26 t ynR + 26 t H + 3 t K 

^XOR + 35 t H 

Z^xoR+l&H 

^XOR 


Table 1 shows that the proposed agreement takes more 
computations cost than those of others due to the application 
of the symmetrical encryption technique. But if merely hash 
arithmetic and XOR operation are introduced in a scheme, it 
is unable to guarantee the safety of the scheme. As we can 
clearly see from the Table 1 that the other three protocols, 
which are designed only with one way hash function and the 


XOR operation, are prone to various attack such as smart 
card loss attack, offline password guessing attack, user 
impersonation attack and server masquerading attack. Thanks 
to the adoption of symmetrical encryption algorithm, the 
proposed scheme can resist the above attacks and provide 
perfect user anonymity. Hence, our protocol is suitable for the 
application environment. 


Table 2. Security Comparisonom 


Security comparison 

Ours 

Shi et al. 

Kumari et al. 

Chang et al. 

Resisting insider attack 

Y 

Y 

Y 

N 

Resisting smart card loss attack 

Y 

N 

N 

N 

Resisting impersonation attack 

Y 

N 

N 

N 

Resisting server spoofing attack 

Y 

N 

N 

N 

Offline password guessing attack 

Y 

N 

N 

N 

Offline password guessing attack 

Y 

N 

N 

N 

Resisting repay attack 

Y 

Y 

Y 

Y 

Providing mutual authentication 

Y 

N 

N 

N 

Providing mutual authentication 

Y 

N 

N 

N 


From Table 2, it is obvious to see that our protocol has 
many important secure properties. Compared with the other 
three related works, our scheme is secure against insider 
attack , smart card loss attack, impersonation attack, server 
spoofing attack, password guessing attack and repay attack. 
Furthermore, the proposed scheme can provide mutual 
authentication and user anonymity. 

VII. Conclusion 

In this paper, we first briefly reviewed an improved 
anonymous remote user authentication scheme based on 

dynamic identity. But after basic secure analysis of Shi et 
al.’s protocol, we found that their scheme is still subject to 
various attacks and lack of user anonymity. To overcome the 
weakness of Shi et al. protocol, we presented an enhanced 


dynamic-ID-based remote user authentication scheme with 
smart card. Through security analysis and performance 
comparison, we have illustrated that with little increase in 
computational cost, the proposed key agreement can resist 
various attacks and provide perfect user anonymity. 
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